diff --git a/lib/module/default.nix b/lib/module/default.nix index 4b00ad8..d0b1e84 100644 --- a/lib/module/default.nix +++ b/lib/module/default.nix @@ -64,23 +64,23 @@ rec { }; services = { - # postgresql = lib.mkIf cfg.configureDb { - # enable = true; - # ensureDatabases = [ name ]; - # ensureUsers = [ - # { - # name = name; - # ensureDBOwnership = true; - # } - # ]; - # }; + postgresql = lib.mkIf cfg.configureDb { + enable = true; + ensureDatabases = [ name ]; + ensureUsers = [ + { + name = name; + ensureDBOwnership = true; + } + ]; + }; }; - systemd.tmpfiles.rules = [ - "d ${cfg.configDir} 0700 ${name} ${name} - -" - "d ${cfg.configDir}/server-files 0700 ${name} ${name} - -" - "d ${cfg.configDir}/user-files 0700 ${name} ${name} - -" - ]; + # systemd.tmpfiles.rules = [ + # "d ${cfg.configDir} 0700 ${name} ${name} - -" + # # "d ${cfg.configDir}/server-files 0775 ${name} ${name} - -" + # # "d ${cfg.configDir}/user-files 0775 ${name} ${name} - -" + # ]; } // moduleConfig; in { config, lib, ... }: diff --git a/modules/nixos/services/authentik/default.nix b/modules/nixos/services/authentik/default.nix index 9714652..0fa8176 100644 --- a/modules/nixos/services/authentik/default.nix +++ b/modules/nixos/services/authentik/default.nix @@ -6,68 +6,68 @@ }: with lib; let - cfg = config.${namespace}.services.authentik; -in -{ - imports = [ ./options.nix ]; + name = "authentik"; + cfg = config.${namespace}.services.${name}; - config = mkIf cfg.enable { - services.authentik = { - enable = true; - environmentFile = cfg.environmentFile; - settings = { - port = cfg.port; + authentikConfig = lib.${namespace}.mkModule { + inherit config name; + description = "authentik Service"; + options = { }; + moduleConfig = { + services = { + authentik = { + enable = true; + environmentFile = cfg.environmentFile; + settings = { + port = cfg.port; + }; + }; + redis.servers.authentik = { + enable = mkDefault true; + port = mkDefault 6379; + }; + + # postgresql = { + # enable = mkDefault true; + # ensureDatabases = [ name ]; + # ensureUsers = [ + # { + # name = name; + # ensureDBOwnership = true; + # } + # ]; + # }; }; - }; - # Open firewall for authentik if enabled - networking.firewall = mkIf cfg.openFirewall { - allowedTCPPorts = [ - cfg.port - 4822 - ]; - allowedUDPPorts = [ - cfg.port - 4822 - ]; - }; + # Open firewall for authentik if enabled + networking.firewall = mkIf cfg.openFirewall { + allowedTCPPorts = [ + 4822 + ]; + allowedUDPPorts = [ + 4822 + ]; + }; - # Ensure PostgreSQL is configured for authentik - services.postgresql = { - enable = mkDefault true; - ensureDatabases = [ "authentik" ]; - ensureUsers = [ - { - name = "authentik"; - ensureDBOwnership = true; - } - ]; - }; - - # Ensure Redis is configured for authentik - services.redis.servers.authentik = { - enable = mkDefault true; - port = mkDefault 6379; - }; - - virtualisation.oci-containers.containers.authentik_rac = { - autoStart = true; - image = "ghcr.io/goauthentik/rac"; - ports = [ "4822:4822" ]; - volumes = [ - "/media/nas/main/nix-app-data/authentik-rac:/media" - ]; - # environmentFiles = [ - # "/media/nas/main/nix-app-data/lubelogger/lubelogger.env" - # ]; - environment = { - AUTHENTIK_HOST = "https://authentik.mjallen.dev"; - AUTHENTIK_TOKEN = "0XGkB2pXoOTqcCMAjucAtfamvlsIZCPmy1Zri54Ozjj3zzMCvcLwkQPrukfx"; - AUTHENTIK_INSECURE = "false"; # Set to true for self-signed certs - PUID = toString config.users.users.nix-apps.uid; - PGID = toString config.users.groups.jallen-nas.gid; - TZ = "America/Chicago"; + virtualisation.oci-containers.containers.authentik_rac = { + autoStart = true; + image = "ghcr.io/goauthentik/rac"; + ports = [ "4822:4822" ]; + volumes = [ + "${cfg.configDir}/authentik-rac:/media" + ]; + environment = { + AUTHENTIK_HOST = "https://${name}.mjallen.dev"; + AUTHENTIK_TOKEN = "0XGkB2pXoOTqcCMAjucAtfamvlsIZCPmy1Zri54Ozjj3zzMCvcLwkQPrukfx"; + AUTHENTIK_INSECURE = "false"; # Set to true for self-signed certs + PUID = toString cfg.puid; + PGID = toString cfg.pgid; + TZ = cfg.timeZone; + }; }; }; }; +in +{ + imports = [ authentikConfig ]; } diff --git a/systems/x86_64-linux/jallen-nas/apps.nix b/systems/x86_64-linux/jallen-nas/apps.nix index ce6f4a0..7973c3e 100755 --- a/systems/x86_64-linux/jallen-nas/apps.nix +++ b/systems/x86_64-linux/jallen-nas/apps.nix @@ -1,29 +1,10 @@ -{ config, namespace, ... }: +{ config, lib, namespace, ... }: +let + inherit (lib.${namespace}) enabled disabled; +in { ${namespace} = { services = { - # Existing properly namespaced services - immich.enable = true; - jellyfin.enable = true; - jellyseerr = { - enable = true; - dataDir = "/media/nas/main/nix-app-data/jellyseerr"; - }; - lubelogger.enable = true; - nextcloud.enable = true; - opencloud = { - enable = true; - port = 9200; - reverseProxy.enable = true; - }; - onlyoffice.enable = false; - collabora.enable = true; - ai.enable = true; - paperless.enable = true; - traefik.enable = true; - wyoming.enable = true; - - # Newly migrated services actual = { enable = true; port = 3333; @@ -37,51 +18,20 @@ ]; }; }; - - ocis.enable = false; - - ersatztv = { + ai = enabled; + arrs = enabled; + attic = { enable = true; - configPath = "/media/nas/main/nix-app-data/ersatztv"; - moviesPath = "/media/nas/main/movies"; - tvPath = "/media/nas/main/tv"; - transcodePath = "/media/nas/main/nix-app-data/transcode"; + port = 9012; + listenAddress = "[::]"; + environmentFile = "/run/secrets/jallen-nas/attic-key"; }; - - arrs = { + authentik = { enable = true; - localAddress = "10.0.1.51"; - downloadsDir = "/media/nas/main/ssd_app_data/downloads"; - incompleteDownloadsDir = "/media/nas/main/ssd_app_data/downloads-incomplete"; - moviesDir = "/media/nas/main/movies"; - tvDir = "/media/nas/main/tv"; - isosDir = "/media/nas/main/isos"; - radarr = { - enable = true; - port = 7878; - dataDir = "/media/nas/main/nix-app-data/radarr"; - }; - sonarr = { - enable = true; - port = 8989; - dataDir = "/media/nas/main/nix-app-data/sonarr"; - }; - sabnzbd = { - enable = true; - port = 8280; - dataDir = "/media/nas/main/nix-app-data/sabnzbd"; - }; - deluge = { - enable = false; - port = 8112; - }; - jackett = { - enable = false; - port = 9117; - dataDir = "/media/nas/main/nix-app-data/jackett"; - }; + # configureDb = true; + port = 9000; + environmentFile = "/run/secrets/jallen-nas/authentik-env"; }; - calibre = { enable = true; port = 8084; @@ -90,7 +40,19 @@ webDir = "/media/nas/main/nix-app-data/calibre-web"; dataDir = "/media/nas/main/books"; }; - + code-server = { + enable = true; + port = 4444; + user = "admin"; + group = "jallen-nas"; + host = "0.0.0.0"; + auth = "none"; + hashedPassword = "$y$j9T$EkPXmsmIMFFZ.WRrBYCxS1$P0kwo6e4.WM5DsqUcEqWC3MrZp5KfCjxffraMFZWu06"; + extraEnvironment = { + PROXY_DOMAIN = "code.mjallen.dev"; + }; + }; + collabora = enabled; crowdsec = { enable = true; port = 8181; @@ -98,7 +60,14 @@ apiKey = config.sops.secrets."jallen-nas/crowdsec-capi".path; dataDir = "/media/nas/main/nix-app-data/crowdsec"; }; - + ersatztv = { + enable = true; + configPath = "/media/nas/main/nix-app-data/ersatztv"; + moviesPath = "/media/nas/main/movies"; + tvPath = "/media/nas/main/tv"; + transcodePath = "/media/nas/main/nix-app-data/transcode"; + }; + free-games-claimer.enable = true; gitea = { enable = true; httpPort = 3000; @@ -114,7 +83,15 @@ ]; }; }; - + glance = { + enable = true; + port = 5555; + }; + glances = { + enable = true; + port = 61208; + bindAddress = "0.0.0.0"; + }; headscale = { enable = false; port = 2112; @@ -128,77 +105,14 @@ ]; }; }; - - unmanic = { + immich = enabled; + jellyfin = enabled; + jellyseerr = { enable = true; - configPath = "/media/nas/main/nix-app-data/unmanic/config"; - moviesPath = "/media/nas/main/movies"; - tvPath = "/media/nas/main/tv"; - transcodePath = "/media/nas/main/nix-app-data/unmanic/transcode"; + dataDir = "/media/nas/main/nix-app-data/jellyseerr"; }; - - uptime-kuma = { - enable = true; - port = 3001; - dataDir = "/media/nas/main/nix-app-data/uptime-kuma"; - }; - - glance = { - enable = true; - port = 5555; - }; - - free-games-claimer.enable = true; - - manyfold.enable = true; - - orca-slicer = { - enable = true; - httpPort = "3100"; - httpsPort = "3101"; - }; - - tdarr.enable = false; - - authentik = { - enable = true; - port = 9000; - environmentFile = "/run/secrets/jallen-nas/authentik-env"; - }; - - attic = { - enable = true; - port = 9012; - listenAddress = "[::]"; - environmentFile = "/run/secrets/jallen-nas/attic-key"; - }; - - protonmail-bridge = { - enable = true; - smtpPort = 1025; - imapPort = 1143; - user = "admin"; - }; - - netbootxyz = { - enable = true; - }; - - ntfy = { - enable = true; - port = 2586; - localAddress = "10.0.1.3"; - dataDir = "/media/nas/main/nix-app-data/ntfy"; - reverseProxy = { - enable = true; - subdomain = "ntfy"; - middlewares = [ - "crowdsec" - "whitelist-geoblock" - ]; - }; - }; - + lubelogger = enabled; + manyfold = enabled; matrix = { enable = true; port = 8448; @@ -213,26 +127,43 @@ ]; }; }; - - glances = { + netbootxyz = { enable = true; - port = 61208; - bindAddress = "0.0.0.0"; }; - - code-server = { + nextcloud = enabled; + ntfy = { enable = true; - port = 4444; - user = "admin"; - group = "jallen-nas"; - host = "0.0.0.0"; - auth = "none"; - hashedPassword = "$y$j9T$EkPXmsmIMFFZ.WRrBYCxS1$P0kwo6e4.WM5DsqUcEqWC3MrZp5KfCjxffraMFZWu06"; - extraEnvironment = { - PROXY_DOMAIN = "code.mjallen.dev"; + port = 2586; + localAddress = "10.0.1.3"; + dataDir = "/media/nas/main/nix-app-data/ntfy"; + reverseProxy = { + enable = true; + subdomain = "ntfy"; + middlewares = [ + "crowdsec" + "whitelist-geoblock" + ]; }; }; - + ocis = disabled; + onlyoffice = disabled; + opencloud = { + enable = true; + port = 9200; + reverseProxy.enable = true; + }; + orca-slicer = { + enable = true; + httpPort = "3100"; + httpsPort = "3101"; + }; + paperless = enabled; + protonmail-bridge = { + enable = true; + smtpPort = 1025; + imapPort = 1143; + user = "admin"; + }; restic = { enable = true; port = 8008; @@ -242,6 +173,21 @@ htpasswdFile = "/media/nas/main/backup/restic/.htpasswd"; extraFlags = [ "--no-auth" ]; }; + tdarr = disabled; + traefik = enabled; + unmanic = { + enable = true; + configPath = "/media/nas/main/nix-app-data/unmanic/config"; + moviesPath = "/media/nas/main/movies"; + tvPath = "/media/nas/main/tv"; + transcodePath = "/media/nas/main/nix-app-data/unmanic/transcode"; + }; + uptime-kuma = { + enable = true; + port = 3001; + dataDir = "/media/nas/main/nix-app-data/uptime-kuma"; + }; + wyoming = enabled; }; }; }